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CCNA Security - Lab 20 - Cisco Site-to-Site IPSec VPN - SDM 

Lab 20 


Cisco IOS Site-to-Site VPN 
Lab Objective: 

The objective of this lab exercise is for you to learn and understand how use 
Cisco SDM to configure the Cisco IOS Site-to-Site VPN. 

Lab Purpose: 

A Virtual Private Network (VPN) lets you protect traffic that travels over lines 
that your organization may not own or control. VPNs can encrypt traffic sent 
over these lines and authenticate peers before any traffic is sent. 

Lab Difficulty: 

This lab has a difficulty rating of 8/10. 

Readiness Assessment: 

When you are ready for your certification exam, you should complete this lab in 
no more than 15 minutes. 

Lab Topology: 

Please use the following topology to complete this lab exercise: 



Lab 20 Configuration Tasks 
Task 1: 

Configure the hostnames and IP addresses on R1 and R2 as illustrated in the 
network diagram. Configure R2 to send R1 clocking information at a rate of 
512Kbps. Configure a static default route on R2 via its SerialO/O interface. In 
addition, configure a static route to the 172.17.1.0/24 subnet on R1 via its 
SerialO/O interface. Ping between R1 and R2 to verify your configuration and 
ensure that the two routers have IP connectivity. 

Task 2: 

Configure Host 1 with the IP address illustrated in the diagram and a default 

gateway pointing to Rl. Verify that Host 1 can ping R1 and R2. 

Task 3: 

Configure a username of sdmadmin with 
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R2 using the domain name howtonetwork.net. 

Configure R1 and R2 to authenticate HTTPS users based on the local username and 
password pair configured on the router. 

Task 4: 

Using SDM (from Host 1), configure Cisco IOS Site-to-Site VPN on R1 and R2 using 
the following parameters: 

Use the pre-shared keys security 
between the routers 

Encrypt traffic from the LAN subnet on R1 to the LAN subnet on R2 and vice versa 

Use static peers using the SerialO/O IP addresses of the routers 

Use default encryption, hash and DH group information and Transform set 

Lab 20 Configuration and Verification 
Task 1: 

Router(config)#hostname R1 
Rl(config)#int fO/O 

Rl(config-if)#ip address 172.16.1.1 255.255.255.0 

Rl(config-if)#no shut 
Rl(config-if)#exit 
Rl(config)#int sO/O 

Rl(config-if)#ip address 10.1.1.1 255.255.255.252 

Rl(config-if)#no shut 
Rl(config-if)#exit 

Rl(config)#ip route 172.17.1.0 255.255.255.0 serialO/O 

Rl(config)#exit 

Rl# 

R2(config)#int sO/O 

R2(config-if)#ip address 10.1.1.2 255.255.255.252 
R2(config-if)#clock rate 512000 

R2(config-if)#no shut 

R2(config-if)#exit 
R2(config)#int fO/O 

R2(config-if)#ip address 172.17.1.2 255.255.255.0 

R2(config-if)#no shut 
R2(config-if)#exit 

R2(config)#ip route 0.0.0.0 0.0.0.0 sO/O 

R2(config)#exit 


R2# 


R2#ping 10.1.1.1 

Type escape sequence to abort. 

Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: 

! | ]! | 

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms 

Task 2: 


I = ' Command Prompt 


C:s>ipconfia 

Uindows IP Configuratioi 


Et lioi'nct adapter* Local Rr*oa Connection 2: 


Connect Ion—spec ific DNS Suffix 
IP A ddi*© s s . .......... 

Subnet Mask .......... 

Default Gateway ........ 


172.16.1.254 
255.255.255.0 
172.16.1.1 


Ethernet adapter* Uire lees Netuorh Connection: 

Media State Media disconnected 


F> 

C:s>ping 172.16.1.1 


Pinging 172.16.1.1 with 32 bytes of data: 


Reply fron 172.16.1.1: byfccs-32 tine-ins TTL-25S 
Reply fron 172.16.1.1: bytes B 32 tine-ins TTL-2S5 
Reply fron 172.16.1.1: bytes-32 tine-ins TTL—255 
Reply fr*on 172.16.1.1: bytes-32 tine-ins TTL-2SS 


Pina statistics for* 172.16.1.1: 

Packets: Sent - 4. Received - 4. Lost - 0 <0X loss) 
Approxinate round trip tines in nilli—seconds: 

Mininun - Ins. Maxinun - Ins. Average * Ins 


K :n> 

C:\> 

jC:N> 

te:\>pina 172.17.1.2 


Pinaina 172.17.1.2 with 32 bytes of data: 


Reply fron 172.17.1.2: 
Reply fron 172.17.1.2: 
Reply fron 172.17.1.2: 
Reply fron 172.17.1.2: 


bytes-32 tine-3ns TTL-254 
bytes-32 tino-3ns TTL-2S4 
bytes—32 tine-3ns TTL-254 
bytes-32 tine-3ns TTL-254 


Pina statistics for* 172.17.1.2: 

Packets: Sent — 4. Received - 4. Lost - 0 <0x loss), 
)Approxinate round tr*ip tines in nilli—seconds : 

Mininun — 3ns. Maxinun — 3ns. Average — 3ns 


;:\>_ 




Task 3: 

Rl(config)#ip domain-name howtonetwork.net 
Rl(config)#crypto key generate rsa 

The name for the keys will be: Rl.howtonetwork.net 
Choose the size of the key modulus in the range of 360 to 2048 for your 
General Purpose Keys. Choosing a key modulus greater than 512 may take 
a few minutes. 

How many bits in the modulus [512]: 

% Generating 512 bit RSA keys, keys will be non-exportable.,.[0K] 
Rl(config)#ip http secure-server 
Rl(config)#ip http authentication local 









Rl(config)#username sdmadmin privilege 15 secret security 

Rl(config)#exit 

Rl# 

R2(config)#ip domain-name howtonetwork.net 
R2(config)#crypto key generate rsa 

The name for the keys will be: R2.howtonetwork.net 
Choose the size of the key modulus in the range of 360 to 2048 for your 
General Purpose Keys. Choosing a key modulus greater than 512 may take 
a few minutes. 

How many bits in the modulus [512]: 

% Generating 512 bit RSA keys, keys will be non-exportable...[OK] 

R2(config)#ip http secure-server 
R2(config)#ip http authentication local 

R2(config)#username sdmadmin privilege 15 secret security 

R2(config)#exit 

R2# 

Task 4: 

For a reference on how to initialize and access SDM, please refer to the solutions in Lab 17. 

On the VPN page, select Site-to-Site VPN and ensure that the Create a Site to Site VPN radio button is enabled 
and then click on Launch the selected task button to proceed: 





















Use this option to configure a protected OKL tunnH from tNs router to another VPN device 
05mg ether a pre-shored key or usng cfcgRal certificates To complete ths configuration, you 
must know the remote device's B 5 address ft * pee shared key is used for euthertficr' on, R 
must match the pen-shared key configured on the remote device a * 

Launch the selected task 


How do I. How Do I Configure a Backup for an Easy VPN Remote connection? 
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Select the Step by step wizard radio box and click on Next to continue: 































Click on the drop-down menu and select SerialO/O as the interface for the VPN. Enter the IP address of the 
SerialO/O interface of R2 (or Rl, depending on which router you decided to do first) as the static peer and ensure 
that the Pre-Shared Keys radio box is highlighted. Type in the key, which should be security, and click on Next to 
continue: 



SCTifilO/O 


Details 


Peel Identity 


Re enter Key 


Cancel 


SenalOfO 


.Cisco Router and Security Device Manager (SUM): 172.16.1.1 


File Edit View Tools Help 


JJ 3 


& 


CoViguc f-j Monitor ^ UjJ \. 

Refrmh Save Scare 


Search Hefc 


.in.Hi. 

CISCO 


Sito-to-SItc VPN Wizard 


VPN Wizard 


Ir< erf aces and 
Cowctioftt 


VPN Connection Inf or motion 

Select the interface for this VPN connection 


unry mx* 

# 

7 

NOT 


Ouatfy of Sorvaco 


Select the type of poer(s) used for this VPN 
connection 


Enter the IP address of the remote peer 


Select an entry 
FastEthemotOJO 


Peer with static IP address 


Authentication ensures that each end ofthe VPN connection uses the same secret key. 


• Pre-shared Keys 


C Digital Certificates 


pie-shared key 


How do I How Do I Configure a Backup for an Easy VPN Remote connection? v Go 










































On the IKE properties page, accept the default values and click Next to continue: 


ui.3JU3Viurrim«rgi /uuz □ 



On the Transform Set page, accept the default values and click on Next to continue: 































On the Traffic to protect page, enter the source and destination networks for encrypted traffic and then click on 
Next to continue: 





























On the Summary of the Configuration page, click on Finish to complete your configuration: 

























Using the same sequence of steps, perform the same configuration on the other router (i.e. either R1 or R2, 
depending on which router you decided to start with). In addition, click on the Test VPN connectivity after 
configuring check box before clicking on the Finish button on the second router to validate your configuration as 
follows: 
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File Edi! View Tools Help 



Retreih 






Site lo-Sitc VPN Wizard 


Save 


Help 


.l|l.t|l. 

CISCO 


interface SeriatO/O 
Peer Device 10 111 
Authentication Type Pre-shared key 
pre-shared key ****** 

IKE Policies 


VPN Wizard 


Summary ol the Configuration 

Click Finish to deliver the configuration to the router 


Hash 

OH Group 

Authentication 

Encryption 

SHA_1 

group2 

PRE_SHARE 

3DES 


Transform Set 

Name ESP-3DES-SHA 
ESP Encryption ESP_3DES 
ESP Integrity ESP_SHA_HMAC 
Mode TUNNEL 


eiI ■ ■ - .Pe* ' 1 n’l :11■ i n 


■ Back | _ | Finish [ Cancel | Help | 


How Do I Configure a Backup for an Easy VPN Remote connection? v Oo | 
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After you click Finish to complete your configuration and then Ok for SDM to configure the router, SDM will test the 
VPN for you as follows and advise you if it is up: 




File Edit View Tools Help 


























Security IfcjcM 

P 


Intuition Prevention 

V ■ 

OuaMy o I Set vice 


fT3 


Tunnol Details 
Interface SetlalO/O 


Peer 10 1 t 1 
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C3 Sunmary Dot ate 



I Activity 

Status 

Chucking the tunnel 
Checking interface * 
Checking the conflg 
Checking Routing 
Checking peer conn 
Checking NAT 
Checking Firewall 
Debugging the VPN 
Checking the tunnel 

Information fx] 

O Down 

✓ Successful 

✓ Successful 

✓ Successful 

✓ Successful 

✓ Successful 

✓ Successful 
Completed 

©Up 

VPN Troubleshooting is successful 1 

The VPN Tunnel Is up. 

Failure Reason(s) 

[ OK | 






Save Report | 


Clear Connection | Test Tunnel | Oenerate Mirror | 


Configuration delivered to router 
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Next, click on Monitor and select VPN Status. To view incrementing statistics, perform a continuous ping from Host 1 
to 172.17.1.2 (the FastEthernetO/O interface of R2) as follows: 


«' Command Prompt - ping -t 172.17.1.2 

- ° * 

C:\>ping -t 172.17.1.2 

Pinging 172.17.1.2 with 32 bytes of data: 

Reply fron 172.17.1.2: bytes°32 tine=llns TTL“254 

Reply fron 172.17.1.2: bytes=32 tine=llns TTL=254 


— 

























































Reply fron 172.17.1.2: bytes=32 tine=llns TTL=254 
Reply fron 172.17.1.2: bytes=32 time =10ns TTL=254 
Reply fron 172.17.1.2: bytes=32 tine=10ns TTL=254 
Reply fron 172.17.1.2: bytes=32 tine=llns TTL=254 
Reply fron 172.17.1.2: bytes=32 time=llns TTL=254 
Reply fron 172.17.1.2: bytes=32 tine=llns TTL=254 
Reply fron 172.17.1.2: bytes“32 tine"11ns TTL"254 




























Lab 20 Configurations 
R1 Configuration 

Rl#show running-config 
Building configuration... 

Current configuration : 3050 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R1 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 

no logging console 
! 

no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wicO 
ip cef 
! 

! 

! 

! 













ip domain name howtonetwork.net 


multilink bundle-name authenticated 
! 

! 

crypto pki trustpoint TP-self-signed-533650306 
enrollment selfsigned 

subject-name cn=IOS-Self-Signed-Certificate-533650306 
revocation-check none 
rsa key pair TP-self-signed-533650306 
! 

! 

crypto pki certificate chain TP-self-signed-533650306 
certificate self-signed 02 

30820249 308201B2 A0030201 02020102 300D0609 2A864886 F70D0101 04050030 
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
69666963 6174652D 35333336 35303330 36301E17 0D303230 33303130 31333332 
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3533 33363530 
33303630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
A10043E2 FB10C1D1 BA18F3AD 554F081C ACA14F4C EA48E0C1 4739653D B7759EE7 
8EB29881 7F391723 E2BB7EC6 54EB6F25 B4E94520 DF8DA15C 3B9E6F7C 3AA57549 
80AB643F A9427071 965DD56A 2D3E60CE 775F2ED5 C9014FCD F313F3EB B5189F62 

09F461BC 32E3E78F F93C8B07 0740DDA8 7B880D1B A3185787 CE621B35 3511A9D5 
02030100 01A37330 71300F06 03551D13 0101FF04 05300301 01FF301E 0603551D 
11041730 15821352 312E686F 77746F6E 6574776F 726B2E6E 6574301F 0603551D 
23041830 168014CD 63D2C471 B7ABA4AC F9C2B602 0D4A8954 71C7F930 1D060355 
1D0E0416 0414CD63 D2C471B7 ABA4ACF9 C2B6020D 4A895471 C7F9300D 06092A86 
4886F70D 01010405 00038181 00675D26 40082389 498F83B1 2F6B6D2C 5C8B4242 
6BA41413 22CA95FA AE8F9CA3 3B07D8DD 1BB89FA9 75906C0A DFC81504 44BC786A 
EAB3F7A5 DE3EFDCC 88D1F90B 5A53ECE1 AB8DA8D2 F92D2C5A B658474E 1DE7CF3A 
74F8FCDA 35F26694 483A3B44 1D14D0FA 31B926F6 69662CD2 672A02F8 9FE2B68B 
F4B8E1FD 09B91B84 26CCCBD0 81 
quit 

! 

! 

username sdmadmin privilege 15 secret 5 $l$kN05$fqVBJq4mFI98EIG5LFRbFID/ 
archive 



log config 
hidekeys 

! 

! 

crypto isakmp policy 1 
encr 3des 

authentication pre-share 
group 2 

crypto isakmp key security address 10.1.1.2 
! 

! 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
! 

crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel tolO.1.1.2 
set peer 10.1.1.2 
set transform-set ESP-3DES-SHA 
match address 100 
! 

! 

! 

! 

! 

! 

interface FastEthernetO/O 
ip address 172.16.1.1 255.255.255.0 
duplex auto 
speed auto 
! 

interface Serial0/0 

ip address 10.1.1.1 255.255.255.252 
crypto map SDM_CMAP_1 
! 

ip forward-protocol nd 

ip route 172.17.1.0 255.255.255.0 Serial0/0 
! 

! 


ip http server 




ip nttp authentication local 
ip http secure-server 
! 

access-list 100 remark SDM_ACL Category=4 
access-list 100 remark IPSec Rule 

access-list 100 permit ip 172.16.1.0 0.0.0.255 172.17.1.0 0.0.0.255 
! 

! 

! 

! 

control-plane 

! 

! 

! 

line con 0 
line aux 0 
line vty 0 4 

privilege level 15 
password cisco 
login 
! 

! 

end 

R2 Configuration 

R2#show run 
Building configuration... 

Current configuration : 3108 bytes 
! 

version 12.4 

service timestamps debug datetime msec 
service timestamps log datetime msec 
no service password-encryption 
! 

hostname R2 
! 

boot-sta rt-ma rke r 
boot-end-ma rker 
! 


h i i ffo ro r\ 



no logging console 


no aaa new-model 
no network-clock-participate slot 1 
no network-clock-participate wicO 
ip cef 


no ip domain lookup 
ip domain name howtonetwork.net 
! 

multilink bundle-name authenticated 
! 

! 

crypto pki trustpoint TP-self-signed-3473940174 
enrollment selfsigned 

subject-name cn=IOS-Self-Signed-Certificate-3473940174 
revocation-check none 
rsakeypair TP-self-signed-3473940174 
! 

! 

crypto pki certificate chain TP-self-signed-3473940174 
certificate self-signed 01 

3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
69666963 6174652D 33343733 39343031 3734301E 170D3032 30333031 30303331 
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373339 
34303137 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
8100C824 4F0BABB6 A557E3A3 3EE6D399 5A495CF6 8F7E131A 62670291 9710DF0F 
CB6918CB D3B817C8 51D4648C 79B882A8 637804CB 8984FB80 D9F1D86B E79C8292 
E1617724 252490F4 BE0322C0 5C984515 3E0A4550 75E9BCC7 7A19900C 0084F632 
19643491 5C0E821D 5442E1C8 FB4BE8A3 034E2954 01B4377C DC14AF72 0F4C92DC 
70A90203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603 
551D1104 17301582 1352322E 686F7774 6F6E6574 776F726B 2E6E6574 301F0603 


551D2304 18301680 144020A0 822373EF EFCD379B 8C2A1A4D 1343842D 59301D06 



03551D0E 04160414 4020A082 2373EFEF CD379B8C 2A1A4D13 43842D59 300D0609 
2A864886 F70D0101 04050003 81810032 3B62EC00 A169C25C 4F7D6B20 C52D5A71 
02C7B7CF 792B6A90 1AEACA7F 5A0D76EB 0C251A25 7E1B53E7 0047652C CB5E0D45 
15578DDD 9A3BC3CC 228F5216 9157651B BC9BF57B F4217458 AF80DBB1 E0F169F7 
DC0B0867 70C21D71 6D8D0A7C 9A683BBF B3171051 E38F9D67 8798AC0C 396684F8 
31C7DF05 21569B49 B39D8FA6 9B5770 
quit 

! 

! 

username sdmadmin privilege 15 secret 5 $l$/rkS$68SmNFIyIaHlmeljQXwrIWl 

archive 
log config 
hidekeys 

! 

! 

crypto isakmp policy 1 
encr 3des 

authentication pre-share 
group 2 

crypto isakmp key security address 10.1.1.1 
! 

! 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
! 

crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel tolO.1.1.1 
set peer 10.1.1.1 
set transform-set ESP-3DES-SFIA 
match address 100 


interface FastEthernet0/0 
ip address 172.17.1.2 255.255.255.0 
duplex auto 



bpeeu duiu 


interface SerialO/O 

ip address 10.1.1.2 255.255.255.252 
clock rate 512000 
crypto map SDM_CMAP_1 


ip forward-protocol nd 
ip route 0.0.0.0 0.0.0.0 Serial0/0 
! 

! 

ip http server 
ip http authentication local 
ip http secure-server 
! 

access-list 100 remark SDM_ACL Category=4 
access-list 100 remark IPSec Rule 

access-list 100 permit ip 172.17.1.0 0.0.0.255 172.16.1.0 0.0.0.255 
! 

! 

! 

! 

control-plane 

! 

! 

! 

line con 0 
line aux 0 
line vty 0 4 
privilege level 15 
password cisco 
login 
! 

! 

end 
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